Obama Said Near Issuing Executive Order on Cybersecurity

Feb. 8 (Bloomberg) -- President Barack Obama will issue an
executive order aimed at bolstering U.S. cybersecurity as soon
as next week, according to two former White House officials
briefed on the administration’s plans.

The executive order, expected to be released after Obama’s
Feb. 12 State of the Union address, sets up a voluntary program
of cybersecurity standards for companies operating vital U.S.
infrastructure, according to the former officials, who asked to
not be named because the order hasn’t been issued yet.

The administration has been drafting an executive order on
computer security since at least last fall, before the Senate
failed in its second attempt to pass Obama-backed legislation to
create cyber standards for companies. Obama has said critical
assets such as water-treatment plants and railway systems
serving millions of people are vulnerable to hackers and need
greater protection.

The administration is preparing the order amid recent cyber
attacks including the security breach of a U.S. Federal Reserve
website, intrusions at the New York Times and other newspapers
attributed to Chinese hackers, and denial-of-service attacks
that disrupted websites of U.S. banks.

The order directs federal agencies to consider
incorporating the cybersecurity standards into existing
regulations, according to the officials. It directs the
government to share more information about computer threats with
the private sector and issue more security clearances allowing
industry representatives to receive classified information, the
officials said.

Congressional Authority

Caitlin Hayden, White House spokeswoman, declined to
comment on the timing or substance of a potential executive
order.

Administration officials including Homeland Security
Secretary Janet Napolitano have continued to encourage lawmakers
to act, saying only Congress has the authority to make statutory
changes to improve cybersecurity.

By early March, Director of National Intelligence James
Clapper is to release his annual assessment of threats to U.S.
national security, which in recent years has pointed to the
growing risks of cyber attacks against the U.S. and its allies.

Republicans and the U.S. Chamber of Commerce, the nation’s
largest business lobby, opposed the Obama-backed cybersecurity
bill last year, saying voluntary standards would amount to de
facto regulations that would burden industry and fail to keep
pace with evolving computer threats.

Information Sharing

House Intelligence Committee Chairman Mike Rogers, a
Michigan Republican, and the panel’s top Democrat, C.A.
“Dutch” Ruppersberger of Maryland, said they will reintroduce
a cybersecurity bill on Feb. 13. The measure, passed by the
House last year, would give companies legal protections for
sharing cyber threat information with each other and the
government, and allow the government to provide classified
threat data to the private sector.

“This is clearly not a theoretical threat -- the recent
spike in advanced cyber attacks against the banks and newspapers
makes that crystal clear,” Rogers said in an e-mailed statement
today. “We need to provide American companies the information
they need to better protect their networks from these dangerous
cyber threats.”

The Obama administration last year threatened to veto
Rogers’s bill, saying it wouldn’t shield the nation’s critical
infrastructure or protect the privacy of consumer data that
might be shared by companies.

Senate Plans

In the Senate, Democratic committee leaders introduced a
measure last month pledging to work together on cybersecurity in
the new Congress. The measure says Congress should develop a
public-private system to defend U.S. infrastructure and
establish mechanisms for sharing cyber threat information.

The co-sponsors include Tom Carper of Delaware, chairman of
the Homeland Security and Governmental Affairs Committee; Jay
Rockefeller of West Virginia, head of the Senate Commerce
Committee, and Dianne Feinstein of California, who leads the
Senate Intelligence Committee. All three were sponsors of the
bill blocked by Senate Republicans last year.

Obama in October signed a separate directive authorizing
the National Security Agency and other military units to take
more aggressive action to defeat attacks on government and
private computer systems.

European Directive

The European Union announced its own cybersecurity plan
yesterday, which could affect a wide swath of multinational
companies that operate there.

According to the draft European Commission directive,
banks, stock exchanges, hospitals and transportation companies
would have to adopt more stringent network security standards in
coordination with an appointed regulator in each member country.
The directive would require critical infrastructure companies to
tell regulators about significant cyber incidents and could
require them to make a public disclosure.

That’s stricter than rules in the U.S., which don’t make
companies disclose serious breaches unless they involve personal
identifying information like Social Security numbers or credit
card data. Even those requirements vary by state.

European disclosure requirements may affect U.S. companies
with international operations, Stewart Baker, a former assistant
secretary at the Department of Homeland Security, said in an e-mail.

“If and when adopted, it will be a game changer,” Baker
said.

“It covers banks, aviation, and Internet companies,
including cloud and e-commerce providers,” said Baker, who is
now a partner at Steptoe & Johnson LLP in Washington. “If
companies are required to report breaches in Europe, they won’t
be able to avoid reporting breaches in the U.S. as well.”